Google vs Microsoft spat reopens disclosure debate
The latest bug disclosure disagreement between the software giants has reopened the debate into the ethics of disclosure.
A new bug disclosure dispute between Google vs Microsoft has rekindled debate into disclosure ethics, but while the industry mulls the theoretical pros and cons it is the end user that suffers.
The current disagreement hinges on the discovery by Google security researchers of zero-day exploits in Windows and Adobe Flash. The researchers notified the two companies on Friday, October 21st. Adobe updated Flash on October 26th to address CVE-2016-7855 (available via Adobe's updater and Chrome auto-update), but after seven days, Microsoft had not issued a patch to fix the flaw. Google then publicly disclosed the vulnerability in a blog post stating: “After 7 days, per our published policy for actively exploited critical vulnerabilities, we are today disclosing the existence of a remaining critical vulnerability in Windows for which no advisory or fix has yet been released. This vulnerability is particularly serious because we know it is being actively exploited.”
However, Microsoft hit back at the prompt public disclosure, “Google’s decision to disclose these vulnerabilities before patches are broadly available and tested is disappointing, and puts customers at increased risk.” Microsoft claims that the bug has indeed been squashed, and the patch will be released in the next patch Tuesday release, on November 7.
Ilia Kolochenko, CEO High-Tech Bridge & Founder, said: "Taking into consideration that the vulnerability is actively exploit in the wild, and Microsoft delays a security patch, I can understand Google's motivation to urge Microsoft releasing the patch. However, in this particular case, full disclosure may just aggravate the situation for the end-users (victims) by making more cybercriminals exploit the flaw."
Although Google’s disclosure doesn’t precisely pinpoint the vulnerability, it does provide strong clues: “The Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape. It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD.”
At first sight it’s a simple enough tale, but as usual in the security world, there are a few more layers to it. Google’s bug disclosure policy has been the source of friction between the companies before, back in 2014 and in 2015, and indeed the disclosure deadlines (seven days for critical vulnerabilities under active exploitation, 90 days for critical vulnerabilities that aren’t) were reviewed after considerable industry debate at the time. Google itself admits that “seven days is an aggressive timeline”, and has certainly flexed the 90 day deadline for Apple in the past.
Then there’s the question of defining ‘active exploitation’ - in this case, Microsoft has been at pains to point out that the vulnerability in question has been used as part of a low volume spearphishing campaign by a group Microsoft calls ‘Strontium’, other vendors identify them as Fancy Bear, APT28, Sednit, and Pawn Storm. The attack in question relies on a Flash vulnerability to gain control of the browser process, before elevating privileges in order to escape the browser sandbox, then finally installing a backdoor.
Inevitably, the restaging of the debate has reignited the perennial debate around disclosure, and whether the industry should be legislated externally, or continue to self legislate. Microsoft went on the record the last time this happened, back in 2015, stating: “We asked Google to work with us to protect customers by withholding details until we will be releasing a fix. Although following through keeps to Google’s announced timeline for disclosure, the decision feels less like principles and more like a “gotcha”, with customers the ones who may suffer as a result. Microsoft has long believed coordinated disclosure is the right approach and minimizes risk to customers. We believe those who fully disclose a vulnerability before a fix is broadly available are doing a disservice to millions of people and the systems they depend upon.”
So has the time come for more regulation? Ilia Kolochenko thinks not: “Google has a great vision and knowledge of vulnerability research, so I think it’s rather about corporate policy and business, than about a premature decision. I don’t think we need a law or regulation right now for vulnerability disclosure, but a formal framework, encouraging companies to cooperate closely and help each other in order protect end-users, would be great.”
“I think it’s not a question of days, but rather of efficient cooperation to fix the vulnerability. Google has great cybersecurity experts and engineers who can definitely help other companies to understand the problem faster and help fixing it. Instead of endless discussions about the ethics of full disclosure, we should rather concentrate on inter-corporate coordination, cooperation and support to make the Internet safer”, he summarised.